cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <>
Subject Re: [DISCUSS] going away
Date Fri, 07 Mar 2014 01:21:18 GMT
So - I’ve browsed around a little after pondering the idea of doing crypto at the JS level,
but I can’t seem to make the argument and keep a straight face. I did find a JS library
[1] that would probably work, but still you’re left with 2 issues: 1) gotta get the library
securely to the browser (proper running SSL on the management server), and 2) You’d still
need a CA to sign the certs that run on the console proxy/SSVM [2]. 

So, nix that. It seems like the best way to do this is have security off by default, make
sure that’s very obvious to new users, and have a guide on how to get things production-ready.

Anyways - we almost have the patch ready, Amogh and I have gone back/forth on the review once
or twice, once we get I think just one more issue straightened out we’re good.

2: Ya know…we could run a CA on the management server….</securityGeekHumor>

On Mar 6, 2014, at 4:53 PM, Kelven Yang <> wrote:

> On 3/2/14, 8:15 AM, "Paul Angus" <> wrote:
>> There are a few issues with the current console proxy setup, not least of
>> which is the need to have internet access to resolve in
>> the first place - so console proxy can't work if you don't have internet
>> access on your client.  I have configured alternative
>> setups for clients - and quite a lot of work goes into creating the
>> infrastructure (and certs) to support changing to a user managed
>> certificate.
>> Sooo, is it at all possible to secure communications with the console
>> proxy, without having to rely on ANY outside entity?
> console proxy client is based on AJAX channel provided by browser via
> Javascript engine, which leaves the security option to be pretty much on
> HTTPS, and it requires a server certificate to start with. So we don¹t
> have many choices here.
> -Kelven
>> Testing alone is going to be a pain, if a full ssl cert setup is required
>> to use console proxy..
>> Regards
>> Paul Angus
>> Cloud Architect
>> S: +44 20 3603 0540 | M: +447711418784 | T: CloudyAngus
>> -----Original Message-----
>> From: Amogh Vasekar []
>> Sent: 28 February 2014 23:05
>> To:
>> Subject: Re: [DISCUSS] going away
>> On 2/28/14 2:03 PM, "Nux!" <> wrote:
>>> There's also the problem of the certificate. It comes bundled in ACS as
>>> far as I can tell.. When does it expire?
>> notBefore=Feb  3 03:30:40 2012 GMT
>> notAfter=Feb  7 05:11:23 2017 GMT
>> Need Enterprise Grade Support for Apache CloudStack?
>> Our CloudStack Infrastructure
>> Support<> offers
>> the best 24/7 SLA for CloudStack Environments.
>> Apache CloudStack Bootcamp training courses
>> **NEW!** CloudStack 4.2.1
>> training<>
>> 18th-19th February 2014, Brazil.
>> Classroom<>
>> 17th-23rd March 2014, Region A. Instructor led,
>> On-line<>
>> 24th-28th March 2014, Region B. Instructor led,
>> On-line<>
>> 16th-20th June 2014, Region A. Instructor led,
>> On-line<>
>> 23rd-27th June 2014, Region B. Instructor led,
>> On-line<>
>> This email and any attachments to it may be confidential and are intended
>> solely for the use of the individual to whom it is addressed. Any views
>> or opinions expressed are solely those of the author and do not
>> necessarily represent those of Shape Blue Ltd or related companies. If
>> you are not the intended recipient of this email, you must neither take
>> any action based upon its contents, nor copy or show it to anyone. Please
>> contact the sender if you believe you have received this email in error.
>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>> Services India LLP is a company incorporated in India and is operated
>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>> a company incorporated in Brasil and is operated under license from Shape
>> Blue Ltd. ShapeBlue is a registered trademark.

Stratosec - Compliance as a Service
o: 415.315.9385

View raw message